Part of the GDPR regulations is that data should only be stored for as long as it's necessary. There's no strict time limit - but companies are not supposed to store data indefinitely.

It's therefore hard to see that keeping a full listing of all flights back to 2005 (or earlier) would be GDPR compliant.

(If Flying Blue had some concerns about certain flights/behaviour, surely they'd take action rather than just keeping the data for decades and launching an investigation years after the fact. And tracking the 10 consecutive years of Platinum, for example, for customers in the running for PfL doesn't strictly require that all details of the previous 10 years are retained - at some point when they are satisfied that a particular year's activities are OK, they no longer need to retain them for any putative investigation years down the line...)